My Exchange 2019 R3 issued certificate flagged as invalid

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.custom-hubcaps.com

I ran this command: Win-Acme (WACS) ACMEv2 client for Windows v2.1.13.978

It produced this output:

2021-01-02 00:00:24.997 -08:00 [INF] Arguments: --target manual --host mail.custom-hubcaps.com,autodiscover.custom-hubcaps.com --certificatestore My --acl-fullcontrol network service,administrators --installation iis,script --installationsiteid 1 --script ./Scripts/ImportExchange.ps1 --scriptparameters '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}' --verbose
2021-01-02 00:00:25.187 -08:00 [DBG] Renewal period: 55 days
2021-01-02 00:00:25.197 -08:00 [VRB] Sending e-mails false
2021-01-02 00:00:25.221 -08:00 [INF] Software version 2.1.13.978 (RELEASE, PLUGGABLE, 64-bit) started
2021-01-02 00:00:25.222 -08:00 [INF] ACME server "https://acme-v02.api.letsencrypt.org/"
2021-01-02 00:00:25.231 -08:00 [VRB] SecurityProtocol setting: "SystemDefault"
2021-01-02 00:00:25.244 -08:00 [DBG] Send GET request to "https://acme-v02.api.letsencrypt.org/directory"
2021-01-02 00:00:25.830 -08:00 [VRB] Request completed with status "OK"
2021-01-02 00:00:25.835 -08:00 [DBG] Connection OK!
2021-01-02 00:00:25.841 -08:00 [INF] IIS version 10.0
2021-01-02 00:00:25.854 -08:00 [INF] Running with administrator credentials
2021-01-02 00:00:26.119 -08:00 [INF] Scheduled task looks healthy
2021-01-02 00:00:26.189 -08:00 [INF] Please report issues at https://github.com/win-acme/win-acme
2021-01-02 00:00:26.245 -08:00 [VRB] Test for international support: 語言 язык لغة
2021-01-02 00:00:26.278 -08:00 [INF] Running in mode: "Unattended"
2021-01-02 00:00:26.344 -08:00 [VRB] Adding 8.8.8.8 as DNS server
2021-01-02 00:00:26.357 -08:00 [VRB] Adding 1.1.1.1 as DNS server
2021-01-02 00:00:26.358 -08:00 [VRB] Adding 8.8.4.4 as DNS server
2021-01-02 00:00:26.583 -08:00 [INF] Target generated using plugin Manual: mail.custom-hubcaps.com and 1 alternatives
2021-01-02 00:00:27.135 -08:00 [WRN] Overwriting previously created renewal
2021-01-02 00:00:27.156 -08:00 [VRB] Targeted convert into 1 order(s)
2021-01-02 00:00:27.160 -08:00 [VRB] Handle order 1/1: Main
2021-01-02 00:00:27.234 -08:00 [VRB] Creating order for hosts: ["mail.custom-hubcaps.com","autodiscover.custom-hubcaps.com"]
2021-01-02 00:00:27.301 -08:00 [VRB] Loading ACME account signer...
2021-01-02 00:00:27.444 -08:00 [DBG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
2021-01-02 00:00:27.677 -08:00 [VRB] Constructing ACME protocol client...
2021-01-02 00:00:27.690 -08:00 [DBG] Send GET request to "https://acme-v02.api.letsencrypt.org/directory"
2021-01-02 00:00:28.135 -08:00 [VRB] Request completed with status "OK"
2021-01-02 00:00:28.222 -08:00 [DBG] Send HEAD request to "https://acme-v02.api.letsencrypt.org/acme/new-nonce"
2021-01-02 00:00:28.280 -08:00 [VRB] Request completed with status "OK"
2021-01-02 00:00:28.290 -08:00 [VRB] Loading ACME account
2021-01-02 00:00:28.291 -08:00 [DBG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
2021-01-02 00:00:28.316 -08:00 [VRB] ACME client initialized
2021-01-02 00:00:28.527 -08:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/new-order"
2021-01-02 00:00:29.846 -08:00 [VRB] Request completed with status "Created"
2021-01-02 00:00:29.865 -08:00 [VRB] Order https://acme-v02.api.letsencrypt.org/acme/order/107734132/7078597572 created
2021-01-02 00:00:30.290 -08:00 [WRN] Using cached certificate for [Manual] mail.custom-hubcaps.com. To force a new request of the certificate within 1 days, run with the --force switch.
2021-01-02 00:00:30.297 -08:00 [DBG] Certificate store: My
2021-01-02 00:00:30.298 -08:00 [INF] Store with CertificateStore...
2021-01-02 00:00:30.327 -08:00 [WRN] Certificate with thumbprint E48D7B82CDC9E41A32229539ED31448B0E674319 is already in the store
2021-01-02 00:00:30.336 -08:00 [INF] Installation step 1/2: IIS...
2021-01-02 00:00:30.454 -08:00 [INF] Updating existing https binding :443 (flags: 0)
2021-01-02 00:00:30.540 -08:00 [INF] Committing 1 https binding changes to IIS
2021-01-02 00:00:30.816 -08:00 [INF] Installation step 2/2: Script...
2021-01-02 00:00:30.888 -08:00 [INF] Script ./Scripts/ImportExchange.ps1 starting with parameters 'E48D7B82CDC9E41A32229539ED31448B0E674319' 'IIS,SMTP,IMAP' 1 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\3cFQL-vd50iBHRryvT9N1w-aa9498b61c2969c3c66632e7817bfaf855b76f19-temp.pfx' '6fwEkaCUWA5CeicTrYG6pRUT+ogVIpLOIbMNsDPOJBk=' '[Manual] mail.custom-hubcaps.com @ 2021/1/1 23:44:03'
2021-01-02 00:00:31.044 -08:00 [DBG] Process launched: powershell.exe (ID: 22480)
2021-01-02 00:00:34.455 -08:00 [VRB] NewCertThumbprint: E48D7B82CDC9E41A32229539ED31448B0E674319
2021-01-02 00:00:34.463 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:00:35.179 -08:00 [VRB] ExchangeServices: IIS,SMTP,IMAP
2021-01-02 00:00:35.187 -08:00 [VRB] LeaveOldExchangeCerts: 1
2021-01-02 00:00:35.206 -08:00 [VRB] RenewalId: 
2021-01-02 00:00:35.448 -08:00 [VRB] CacheFile: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\3cFQL-vd50iBHRryvT9N1w-aa9498b61c2969c3c66632e7817bfaf855b76f19-temp.pfx
2021-01-02 00:00:35.455 -08:00 [VRB] FriendlyName: [Manual] mail.custom-hubcaps.com @ 2021/1/1 23:44:03
2021-01-02 00:00:35.467 -08:00 [VRB] Searching for Exchange snapin...
2021-01-02 00:00:36.719 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:00:39.196 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:00:40.503 -08:00 [VRB] Microsoft.Exchange.Management.PowerShell.E2010
2021-01-02 00:00:40.629 -08:00 [VRB] Microsoft.Exchange.Management.PowerShell.SnapIn
2021-01-02 00:00:40.768 -08:00 [VRB] Checking if certificate can be found in the right store...
2021-01-02 00:00:41.444 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:00:41.962 -08:00 [VRB] Updating Exchange services...
2021-01-02 00:00:44.516 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:00:47.630 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:00:50.414 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:00:53.392 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:00:55.734 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:00:57.878 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:01:00.367 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:01:02.816 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:01:05.925 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:01:08.582 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:01:09.375 -08:00 [VRB] Certificate set for the following services: IIS,SMTP,IMAP
2021-01-02 00:01:09.823 -08:00 [VRB] Process output without data received
2021-01-02 00:01:10.077 -08:00 [VRB] Process error without data received
2021-01-02 00:01:10.247 -08:00 [INF] NewCertThumbprint: E48D7B82CDC9E41A32229539ED31448B0E674319
ExchangeServices: IIS,SMTP,IMAP
LeaveOldExchangeCerts: 1
RenewalId: 
CacheFile: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\3cFQL-vd50iBHRryvT9N1w-aa9498b61c2969c3c66632e7817bfaf855b76f19-temp.pfx
FriendlyName: [Manual] mail.custom-hubcaps.com @ 2021/1/1 23:44:03
Searching for Exchange snapin...
Microsoft.Exchange.Management.PowerShell.E2010
Microsoft.Exchange.Management.PowerShell.SnapIn
Checking if certificate can be found in the right store...
Updating Exchange services...
Certificate set for the following services: IIS,SMTP,IMAP

2021-01-02 00:01:10.260 -08:00 [INF] Script finished
2021-01-02 00:01:11.078 -08:00 [VRB] Waiting for process to finish...
2021-01-02 00:01:11.098 -08:00 [INF] Scheduled task looks healthy
2021-01-02 00:01:11.107 -08:00 [INF] Next renewal scheduled at 2021/2/26 0:00:27
2021-01-02 00:01:11.188 -08:00 [INF] Certificate [Manual] mail.custom-hubcaps.com created
2021-01-02 00:01:11.304 -08:00 [VRB] Exiting with status code 0
2021-01-02 10:52:01.359 -08:00 [INF] Arguments: --renew --baseuri https://acme-v02.api.letsencrypt.org/
2021-01-02 10:52:01.488 -08:00 [INF] Software version 2.1.13.978 (RELEASE, PLUGGABLE, 64-bit) started
2021-01-02 10:52:01.490 -08:00 [INF] ACME server "https://acme-v02.api.letsencrypt.org/"
2021-01-02 10:52:08.313 -08:00 [INF] IIS version 10.0
2021-01-02 10:52:08.317 -08:00 [INF] Running with administrator credentials
2021-01-02 10:52:08.407 -08:00 [INF] Scheduled task looks healthy
2021-01-02 10:52:08.407 -08:00 [INF] Please report issues at https://github.com/win-acme/win-acme
2021-01-02 10:52:09.197 -08:00 [INF] Renewal for [Manual] mail.custom-hubcaps.com is due after "2021-02-25T23:52:11.7958433-08:00"
2021-01-02 10:52:09.298 -08:00 [INF] Renewal for [Manual] mail.custom-hubcaps.com is due after "2021-02-26T00:00:27.1595245-08:00"

My web server is (include version): EXSRV.custom-hubcaps.com

The operating system my web server runs on is (include version): Windows Server 2019 v1809

My hosting provider, if applicable, is: IIS on premises

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

I'm unable to reproduce the R3 issue mentioned in the topic.
If you could, please show a screenshot of the error message.

mail.custom-hubcaps.com resolves to two IPs:

  • 172.16.5.35 (RFC-1918) no Internet route.
  • 75.145.78.197 no web service responding.

exsrv.custom-hubcaps.com does not resolve to an IP.

2 Likes

Hi Rudy, thank you for responding to my request for support. The issue has been resolved, a misconfigured Exchange database path and .edb name, along with a missing DNS A records entry for the mail and Autodiscover subdomains were causing havoc on the hybrid configuration and Let's Encrypt certificates validation
again, thank you for your support, you can close this ticked and chalk the topic as resolved
Jose Plunkett

1 Like